sherryanne meyer [ asug installation member member since: 2000 anup maheshwari [ asug installation...
TRANSCRIPT
SHERRYANNE MEYER[ASUG INSTALLATION MEMBER MEMBER SINCE: 2000
ANUP MAHESHWARI[ASUG INSTALLATION MEMBER MEMBER SINCE: 2008
AJAY VONKAREY[ASUG INSTALLATION MEMBER MEMBER SINCE: 1999
]Thomas Neudenberger
COO, realtime North America inc.
Indisputable Data and Transaction
Protection for SAP
Real Experience. Real Advantage.
[
2
Is your SAP System safer than a cruise ship?
FBI charges Rick Ehlert, Holland America passenger, for releasing ship's anchor
Officials say 44-year-old Rick Ehlert was a passenger on Holland America's 1,260-passenger Ryndam bound for Tampa when he entered a restricted area and let the ship's rear anchor loose:http://www.wtsp.com/news/local/story.aspx?storyid=159538 • How is it possible that a drunken customer even gets access to the
restricted area?
• How did he get access to the “function” that allowed him to release the
anchor?
• Why were there NO sufficient security measures in place such as cameras?
• How hard would it be to protect releasing the anchor with a key operated
switch?
• Why didn’t anybody see the DANGER until something actually happened?
• Should the cruise line be charged with negligence for endangering
customers?
Real Experience. Real Advantage.
[
3
Business Pain Points at Every Organization
• 93% of fraudsters were first time offenders
• A company’s average loss was 7% of their revenue
• The first single incident cost companies $239,000 in
damages*
• Fraud schemes continued for years - many are NEVER
detected
• Bad Press could decrease revenue and shareholder value
• Most catastrophic fraud is committed with a stolen user
profile!The financial damage of the “first single incident” increased from $175,000 in 2008 to $239,000 in 2009! Damages reach billions!
The Association of Certified Fraud Examiners (ACFE) 2008 Fraud Study – links on the last page!
Real Experience. Real Advantage.
[
4
Technical Pain Points at Every Organization
• Overwhelmed with access control efforts for all users
• Gaps in Security Roles tend to "over permit" users (
statistics)
• No technology to protect critical functions or the actual data
• Restrict Access for tables or programs in SE 16 / SE 38
• Need to block or mask critical information in Systems
• Establish “true” SoD’s and clear accountability
• Extensive password sharing I will give you my password if you tell me yours!
IT will cost you dinner! Password1
Real Experience. Real Advantage.
[
5
History - Passwords Become Easier to Obtain
• Before the Internet intruders had to physically break into a company first
• Password crackers, computers and technologies get faster every day*• Hacking tools are now legally sold in stores as Password Recovery tools
• Physical and logical key loggers can be implemented without detection
• Hidden cameras and even cell phones can easily video tape passwords
• Surveillance cameras are everywhere where users log on (example: airport)
• Algorithms can decrypt passwords just based on sound (record it)
• Users have too many passwords and are forced to write them down
• Systems require frequent password renewal (forcing users to write them down)
• Users are forced to create more complex and longer passwords (can’t remember)
Passwords have been around since the first computers in 1963, and while they might have been fairly secure back then, technology is evolving and is making them more vulnerable on a daily basis:
* Recent News: Computer clustering allows the cracking of complicated passwords in 20 minutes instead of 5 days!
Real Experience. Real Advantage.
[
6
Many Ways for Intruders to Get Passwords
• Look in desk drawers or on the “yellow sticky note”
• Look over shoulders of co-workers (shoulder surfing)
• Videotape it - watch for people with a cell phone around you
• Ask colleagues – 40% admit to sharing passwords
• Get emergency password (administrators / security guard)
• Call hotline to get password reset for any user
• Associate with owner (pet, family, hometown, birthday)
• Check unencrypted .ini files
• Try SAP default password for SAP* - 06071992
• Key Catcher, Password Cracker – Now: Recovery Tools
• Monitoring / Sniffers (transfer from GUI not encrypted)
Download the “Fishing for Passwords” document at www.showpasswordsthefinger.com
Whereto
FIND it
Real Experience. Real Advantage.
[
7
Increase Security & Accountability for SAP
82% of all SAP passwords are written down (SAP-Info Online)
Use a combination of 2 or 3 methods for ultimate security and accountability!
Smart Cards can still be lost, stolen, copied and shared and they offer no indisputable accountability
The indisputable accountability will be much stronger using biometric technology
#1 Pain Point at any SAP customer is “Password Sharing”
Real Experience. Real Advantage.
[
8
bioLock is Compatible with Almost bioLock is Compatible with Almost any Deviceany Device• All UPEK sensor devices including Fips 201• All Authentec Sensor Devices (true print tech.)• Secugen Product Line with optical device• Most Leading Laptop with build in swipe sensors• Most smart card readers and keyboards
Devices cost between $50-$150 and are only needed for a few 100 UsersNote:
Contact us for a compatibility list
Real Experience. Real Advantage.
[
9
Technology to enhance SSO and Access Technology to enhance SSO and Access ControlControl
Level ILevel I
5 Level Protection5 Level Protection
Level IILevel II
Level IIILevel III
Level VDual Signature
Level IVExceeding Values
Protect Critical Data
Other technologies protect the outside while this technology will protect your system from the INSIDE
Inside SAPAFTER you access SAP:
In addition to Access -
Outside SAPBefore you access SAP:
Single Sign OnAccess Controls Identity ManagementMicrosoft ForefrontKerberos / TokensSmart Card / CAC Active DirectoryEtc.
Existing/Ongoing/Future ProjectsExisting/Ongoing/Future Projects
Real Experience. Real Advantage.
[
10
Prevent Sharing of SAP User ProfilesPrevent Sharing of SAP User Profiles
Even though this guy identifies himself as “Tom N.” on his space suit…
Your security guard will definitely stop this guy at the main gate!!!
Without using biometrics we can only identify “Space Suits” with names on them (SAP User Profile Names) walking around in the most critical part of our organization – the SAP System.
You have NO WAY of identifying WHO is using the space suit or SAP user profile – nor can your reject a user based on their identity
As a first step, the technology will uniquely identify the USER behind the “Space Suit” (User Profile) and prevent the challenge of unauthorized access through password sharing!
Your security guard will ask to compare his face (biometric features) with his photo ID (biometric template) and perform a manual face recognition process to confirm ID.
Real Experience. Real Advantage.
[
11
Override ANY SAP Authorizations Override ANY SAP Authorizations
This technology allows you to place swinging door bars anywhere in the SAP system and override existing authorizations. A user needs specific permission from our technology to access protected functions and data.
In a hotel you access your room with a key card
How many other people have key cards that open YOUR door?
Before you go to sleep in a hotel room, you lock the swinging “door bar” and “override the access” for other, normally-authorized users
How do you protect yourself, your family or your valuables at night?
Real Experience. Real Advantage.
[
12
Independent Additional ProtectionIndependent Additional Protection
Authorized SAP User
Profile Access
Authorized SAP User
Profile Access
bioLock permits users via biometric template, password or smart card – the protection is defined in bioLock and “blocks” the SAP User Profile Access
Override SAP Security
Passwordand / or
Real Experience. Real Advantage.
[
13
Permit VIP Power Users – Not all UsersPermit VIP Power Users – Not all Users
Only Power Users with specific permissions will have access
Before bioLock you had to worry about protecting access for ALL SAP Users…
Normal Users - and ALL OTHERS - will always
be denied
• Now you identify and protect selected critical functions in your system
• You PERMIT Power users that you WANT to “access critical functions”
• ALL OTHERS will not be able to access them – even SAP ALL
• Functions can either be protected Globally or on an Individual Basis
• You only have to “permit” a few 100 Power Users
Real Experience. Real Advantage.
[
14
Limit Access to Permitted VIP bioLock Users
External Employees
Former Employees
ForeignHackers
Terrorist Groups
The threat comes from the inside and outside!
Consultants Auditors
Example: 6000 Named SAP Users
2000 Users with any roles to “somehow” critical data
1000 Users with restricted roles to critical functions
Fraud is mostly committed by stealing or cracking a password to access profiles with critical, extended authorizations
VIP Only: 500
Permitted bioLock Users for
most critical functions
Ultimate Data Protection
Real Experience. Real Advantage.
[
15
An Additional Integrated Layer of Security
Additional bioLock Security
it will never “touch” or change your existing security roles or profiles!
Existing SAP Security
Note: bioLock is installed into realtime’s own name space (/realtime) within your SAP system via SAP transports. It is completely integrated into SAP!
The technology is completely integrated into SAP and adds an additional layer on top of your existing security:
Real Experience. Real Advantage.
[
16
Protect “Anything” Valuable in the SAP Protect “Anything” Valuable in the SAP SystemSystem
Logon to a User Profile (e.g. Admin)
Transactions (e.g. HR / PO / Finance)
Infotypes (e.g. 008/167 etc.)
Buttons (e.g. Print / Export / Execute)
Display (e.g. Balance Sheet / )
Execute (e.g. protect execution of anything…)
Tables within SE 16 / SE 16N Programs within SE 38 Values (e.g. wire transfer of a certain amount)
Screens (e.g. export control / ITAR )
Mask Fields (e.g. make certain fields invisible)
and more… (e.g. compliance, SoD, SOX etc.)
Quickly and easily secure:Lock “anything” within the SAP system by simply installing a predefined ABAP code (the swinging door bar)
Every “door bar” has a unique id number and can now be activated and controlled via bioLock
Allow a few 100 Power Users to “open” the “door bar” with biometrics and/or smart card authentication (CAC)
Real Experience. Real Advantage.
[
17
Proof is Always in Writing for the Auditors
SAP’s log file can only identify the SAP User Profile
You only know that “space suit” Tom N was used
bioLock uniquely identifies the ACTUAL USER with biometrics
bioLock rejects and shows in the LOG files which UNAUTHORIZED user tried to use colleagues SAP user profiles
Real Experience. Real Advantage.
[
18
General Pain Points for Customers
Securely protect any confidential, private, classified or high-value data
Mask screens , fields, tables and protect any secret information
SAP Logon: Unauthorized users use or share SAP User ID’s even at different locations at the same time
Consultants: Internal and External consultants with limited loyalty to any company have extended
access
HR: Protecting and securing HR info including health insurance, salaries and social security numbers
Finance: Prevent tampering with payment release, salaries, wire transfers, requesting or changing
budgets
Balance Sheets: Access to critical company information
Research Data: Research data is stolen or changed (espionage)
Production Data: Components of critical production values such as chemicals in drugs are changed
Purchasing: Unauthorized users purchase unauthorized items
Workflow Approval: People use supervisors’ passwords
Fast User Switching: Users are supposed to log in and out (bank, hospital, warehouse etc.)
Access to critical functions that concern National Security such as power grids or water supplies
Remember multiple passwords that could require up to 15 characters each
True Identity Management / Compliance (Sarbanes-Oxley, Section 404, Internal Controls)
Many critical information are visible in QA Systems and too many people have legal access
Real Experience. Real Advantage.
[
19
Best Practices: Challenge with role Best Practices: Challenge with role based SoD’sbased SoD’s
The technology can only identify the conflicts based on user roles Bad guys simply logon with different user profiles to overcome SoD’s They circumvent SoD’s and it is difficult to prosecute, as criminals
use multiple user profiles to commit fraud Even if fraud is identified, criminals can still point fingers at others
bioLock enforces SoD’s:
bioLock prevents logon to other user profiles bioLock identifies and permits authorized users for tasks True SoD’s can be established based on biometric templates The log file shows identified users, establishes indisputable
accountability and helps to convict violators and intruders bioLock deters fraud by requiring users to identify themselves
The Challenge of Role Based SoD’s:
GRC technology (or competitive products) identify and prevent that one SAP user can create a purchase order, approve it and issue a payment
Real Experience. Real Advantage.
[
20
Best Practices Best Practices – Fast User Switching
Challenge: 5 employees use 3 different computers and don’t have the time to log in and out when switching places
SAP User Profile
bioLock User
Teller PC1 Thomas
Teller PC1 Amanda
Teller PC1 April
Teller PC1 James
Teller PC1 Peter
Teller PC2 Thomas
Teller PC2 Amanda
Teller PC2 April
Teller PC2 James
Teller PC2 Peter
Teller PC3 Thomas
Teller PC3 Amanda
Teller PC3 April
Teller PC3 James
Teller PC3 Peter
The Solution:
Critical functions on all 3 computers are protected with bioLock
The biometric templates of all 5 users are assigned to all 3 computers so the 5 authorized users can switch between computers and execute protected functions
Unauthorized colleagues or customer can not execute the functions even if the computer is logged on since the template is not assigned
Example: Bank, Hospital, Warehouse, Customer Service, Call Center etc.
Real Experience. Real Advantage.
[
21
Best Practices : Pharmaceutical Best Practices : Pharmaceutical CompanyCompany
The Challenge:
Purdue Pharma L.P., a pharmaceutical company focused on meeting the needs of healthcare providers and the patients in their care
Financial workflow approval within SAP guaranteeing only executives can approve
bioLock was required to work within a web based system (browser based) An email send to s supervisor had to trigger biometric approval in a web
browserThe Solution:
• Purdue is using bioLock for workflow payment approval • An automated workflow sends an email with a link to approver • Approver clicks the link and bioLock pops up a window• bioLock asks the user to authenticate themselves • bioLock approves the transaction in the web browser• Once done, the payment is immediately approved within SAP.
Real Experience. Real Advantage.
[
22
Best Practices: Banking / Finance Best Practices: Banking / Finance System System
The Challenge:
Groups of people had access to many parts of the finance system The client needed to uniquely identify the “actual user” and log
activities Management requested that 2 individuals would authorize certain
tasks
The oldest central bank in the world had multiple critical tasks in their financial application including opening balance sheets, approving budgets and issuing wire transfers
The Solution:
bioLock dual confirmation group was enabled
2 people have to authorize tasks
Both will be uniquely identified…
…and logged in the log file
Real Experience. Real Advantage.
[
23
Best Practices: Government HR / HIPAABest Practices: Government HR / HIPAA
The Challenge:
Brevard County Government, home to NASA and the
Kennedy Space Center is running SAP including HR
Multiple employees had access to extremely critical HR data Misuse of the data by employees and others was easily possible Brevard needed to protect and uniquely identify the actual SAP USER
The Solution:
Rick Meshberger (left) installed biometrics
Access and changes are limited to uniquely identified users
A log file can proof, who did ‘what’ and ‘when’
Real Experience. Real Advantage.
[
24
Expert Statements – SAP TV Movie
http://realtimenorthamerica.com/download/Expert_statements.wmv
Other SAP movies including bioLock: http://www.realtimenorthamerica.com/saptv.shtml
You are invited to view some expert statements at your convenience:
2010 NBC Crime Tracker NEWS interview at realtime’s headquarters: http://www2.tbo.com/video/2010/jan/07/fingerprint-security--15050/video-news/
Real Experience. Real Advantage.
[
25
Technology Review
it is the next logical step in addition to Single Sign on and Access Control efforts
Enables powerful protection of confidential information and data on the field level within the SAP System.
Prevents unauthorized actions and illegal access far more effectively than other security measures.
Effectively blocks consultants, administrators, auditors and anyone that should not be permitted access to certain sensitive functions and data regardless of existing security permissionsEstablishes indisputable accountability, control and “true” SoD’s
Real Experience. Real Advantage.
[
26
Key Learnings - Highlights Summarized
• adds additional layers of security to the SAP system
• protects organizations from the risk of MILLION dollar losses
• is a proven technology backed by over 100 employees
• is implemented and up and running in a few days
• requires minimal training, configuration or maintenance
• has an immediate ROI in the first year and very low TCO
• is the only certified biometric technology available for SAP*
*SAP ERP 4.6 certified in 2002 / SAP NetWeaver certified in 2006
Real Experience. Real Advantage.
[
27
bioLock permits Good Guys - blocks Bad bioLock permits Good Guys - blocks Bad GuysGuys
IT Consultants
Even if your company has 1000’s of named SAP Users…
Only a few hundred VIP Power users….
Need to be permitted with their “finger” (biometric templates)
Terrorist Groups
Outside Hackers
Insider Theft
bioLock will protect your entire SAP System from anyone else:
Former Employees
Most companies only need to protect a few hundred Power Users
Installation takes a few days and no user training is necessary
Minimal ongoing maintenance required
Real Experience. Real Advantage.
[
28
Additional bioLock and Fraud Information SAP TV Movies on our website Movies from SAP TV, demo movie, fraud movie etc - great to share! Link
Fishing for Passwords document How to get SAP passwords and how to explain it to the Management! PDF
SAP Info Article Feb. 2009 Biometric Security for Financial Meltdown Solutions PDF
Ultimate DLP/Risk and Compliance 1 Pager: bioLock is the ultimate Data Loss Prevention/Risk solution PDF
Fraud Mitigation Document Executive Sum. why and how to use biometrics for mitigating fraud Link
Maintaining Integrity of SAP Data 1 Page Executive bioLock Explanation/Value Proposition with pictures PDF
NEW 2010 bioLock Flyer! 2 page detailed description about bioLock functionality PDF
eWeek Article about Fraud* How Wall Street Can Mitigate Financial Fraud Using Biometrics Link
SOX Compliance - $400 Fraud* SOX compliant Dupont has $400Mil Fraud Case - Study Link
ACFE 2008 Fraud Study Actual alarming fraud statistics from 2008 - 7% of revenue is fraud! PDF
2009 Occupational Fraud Study Conclusion: Ensure proper fraud prevention procedures are in place! PDF
NBC/Channel 8 Crime Tracker News Interview about the use of passwords to prevent corporate fraud PDF
Threat from the Inside and Outside Cyber threats now targeting traditional companies (must read article) Link
Note: You must be in Slide Show Mode to click on the links!
Real Experience. Real Advantage.
[
29
[
] Thank you for participating.
SESSION CODE: ASUG Florida Chapter Tampa Networking EventWednesday, December 8, 2010
Please remember to complete and return your evaluation form following this session.
For ongoing education on this area of focus, visit the Year-Round Community page at www.asug.com/yrc